Authentication SDKs

Developer toolkits to customize or replace the authentication experience and logic for Receiver, StoreFront and NetScaler

For many years there has been customer demand to be able to augment or even replace the authentication capabilities of user-facing Citrix components, to use a preferred strong authentication product or to customize the user experience. Historically this has only been possible with NetScaler, Web Interface and XenApp, only for certain scenarios such as browser access, and typically with limitations on the authentication method when AD password is required at the end to start a Windows session. Even then, different technical approaches were required for each Citrix component, making the solutions non-transferrable or version specific.

The purpose of introducing Authentication SDKs for Receiver, StoreFront and NetScaler is to better address this growing customer demand, lifting as many limitations as possible while providing a standardized approach that allows reuse across Citrix products.

Forms Logon

The StoreFront Authentication SDK is the primary means to completely control the user experience and the logic used to validate credentials when authenticating to StoreFront or NetScaler. The number, type, and ordering of credential input fields, their descriptions, and the headings and buttons shown on each form, can all be defined much as a developer would lay out a web form. If multiple steps are needed the sequence of forms can be dynamically determined based on user input and responses from credential validation servers or other identity sources. Information about the browser or Receiver version and device platform can also be used to adjust the forms dynamically.

With this SDK, it is straightforward to integrate authentication methods like Knowledge-Based Authentication, hardware or software One-Time Password tokens, SMS or phone-based voice response.

Forms produced by StoreFront extensions will work for browser logon to NetScaler and StoreFront, and for native Receiver logon to StoreFront. NetScaler logon from native Receiver will be enhanced in future to support these extensions. The same authentication extension can control the logon for all of these cases.

Form rendering normally uses native UI controls and follows accepted platform conventions, for example automatically adjusting to the screen size and orientation or using pop-up windows as appropriate. This results in minor variations in appearance and behaviour on different platforms, but frees the developer from having to write code for every case. It also means that an authentication extension should work even on new Receiver platforms that didn’t exist when the extension was created.

Receiver Extensions for Forms Logon

The ReceiverAuthentication Manager Plugin SDK extends the reach of the StoreFront Authentication SDK, by supporting the creation of credential plugins for Windows Receiver that work in concert with StoreFront extensions. Credential plugins can be used to obtain self-contained authentication factors such as simple OTP codes from soft tokens, or to collect device-based evidence like geo-location to support Risk-Based Authentication. The ordinary parts of the form will be displayed to the user with the plugins being called invisibly to supply the custom credential values. The form may be used to obtain user consent for RBA evidence collection, for example, or to collect a user PIN to supplement a soft token OTP code.

Capability discovery is built-in so StoreFront extensions will be told of the presence of Authentication Manager plugins and can dynamically adjust the form content accordingly. The SDK might be enhanced in future to allow plugins to modify forms before they are displayed and to process information collected by the form before it is submitted; this would allow more sophisticated soft tokens where the user PIN must be supplied as local input to generate the OTP code.

A credential plugin could also display a custom pop-up UI, to support biometric authentication for example.

Specialized SDKs

Windows Receiver also supports the Fast Connect SDK which enables secure insertion of username and password or smart card PIN from an external program, providing single sign-on to a Citrix environment. When coordinated with scripting of Receiver actions such as resource launch or reconnect, or just opening of the Receiver UI, this allows partners or customers to address scenarios where authentication is a trigger for automatic actions.

A common use case is proximity badge or biometric authentication, for example in a healthcare setting. An agent program on the device monitors for badge events, identifies the user and prompts for password if not cached from previous interactions. The credentials are passed securely to Receiver with scripted instructions to reconnect the clinician’s session.

In the case of smart cards, the SDK pre-caches the user PIN to avoid prompts when the smart card is used for authentication to the Citrix broker and the user’s session. The cache is invalidated when the smart card is removed.